Spring Boot Actuator Endpoints security doesn't work with custom Spring Security Configuration

后端 未结 4 1414
[愿得一人]
[愿得一人] 2021-02-05 15:19

This is my Spring Boot 1.5.1 Actuator application.properties:

#Spring Boot Actuator
management.contextPath: /actuator
management.security.roles=R_0
         


        
相关标签:
4条回答
  • 2021-02-05 15:49

    To have authorization to spring boot actuator endpoints you need to have ACTUATOR role. Refer this example Accessing Restricted Actuator Endpoints with Spring Security

    0 讨论(0)
  • 2021-02-05 15:49

    I'm coming at this from a Reactive Spring Boot 2.x app and had this problem and solved it by updating the WebSecurityConfig.securityWebFilterChain as well as SecurityContextRepository.load to include /actuator/** as follows:

    public class WebSecurityConfig {
      private AuthenticationManager authenticationManager;
    
      private SecurityContextRepository securityContextRepository;
    
      @Autowired
      public WebSecurityConfig(AuthenticationManager authenticationManager, SecurityContextRepository securityContextRepository) {
        this.authenticationManager = authenticationManager;
        this.securityContextRepository = securityContextRepository;
      }
    
      @Bean
      public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        return http
          .exceptionHandling()
          .authenticationEntryPoint((swe, e) -> Mono.fromRunnable(() -> {
            swe.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED);
          })).accessDeniedHandler((swe, e) -> Mono.fromRunnable(() -> {
            swe.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
          })).and()
          .csrf().disable()
          .formLogin().disable()
          .httpBasic().disable()
          .authenticationManager(authenticationManager)
          .securityContextRepository(securityContextRepository)
          .authorizeExchange()
          .pathMatchers("/actuator/**").permitAll()
          .anyExchange().authenticated()
          .and().build();
      }
    

    as well as updating

    @Slf4j
    @Component
    public class SecurityContextRepository implements ServerSecurityContextRepository {
    
      private AuthenticationManager authenticationManager;
    
      public SecurityContextRepository(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
      }
    
      @Override
      public Mono<Void> save(ServerWebExchange swe, SecurityContext sc) {
        return Mono.error(new UnsupportedOperationException("Not supported"));
      }
    
      @Override
      public Mono<SecurityContext> load(ServerWebExchange swe) {
        ServerHttpRequest request = swe.getRequest();
    
        if (request.getPath().value().startsWith("/actuator") ) {
          return Mono.empty();
        }
        // other authentication logic here
      }
    
    0 讨论(0)
  • 2021-02-05 15:51

    You have to use prefix ROLE_ for your management.security.roles for example management.security.roles=ROLE_SOMENAME in order to solve this issue

    0 讨论(0)
  • 2021-02-05 15:56

    According to this link:

    http://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-monitoring.html

    By default all sensitive HTTP endpoints are secured such that only users that have an ACTUATOR role may access them. Security is enforced using the standard HttpServletRequest.isUserInRole method.

    Use the management.security.roles property if you want something different to ACTUATOR.

    So I think all you have to do is set the following property in application.properties.

    management.security.roles
    

    Ex:

    management.security.roles=R_0
    
    0 讨论(0)
提交回复
热议问题